Wednesday, September 14, 2011

I have R1, R2, and R3, and I want to use CBAC to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network.

I want to use Context Based Access Control when allowing the inside segment access to services on the outside segment, and to inspect TCP, UDP, HTTP, Telnet, ICMP and TFTP traffic. I want to collect audit statistics on TFTP traffic and have a UDP session inactivity timeout of 20 seconds. For the HTTP inspected traffic I do not want to allow Java applets to be downloaded from R3 with the host address of 10.0.3.3. For Telnet traffic, I want to ensure traffic is inspected while using TCP port 33 to connect from R1 to R3 by adding to R2's port-maps. I want to allow the inside segment to receive responses when using traceroute. I will assume a maximum of 2000 sessions open concurrently, and will adjust the CBAC hash table from its default 1024, to 2048. I want to allow the outside segment access to TCP 80 on R1, allow my routing protocol, disallow ping responses, and I want to configure TCP intercept with CBAC.

Before I begin the CBAC configuration steps, I want to visit the TCP Intercept feature and verify its operation; as CBAC incorporates this feature into its operation.

The TCP intercept feature works as it's described; it intercepts TCP connections. In my scenario, R1 is hosting HTTP services, and R2 will be configured to intercept TCP SYN packets when R3 attempts to make a connection to R1. TCP intercept can be configured to be the middle man in the 3 way handshake, or observe the handshake process. In either case, I can configure R2 to drop half open connections by dropping the connection itself, or by sending reset (RST) messages on the protected server's behalf.

I'll configure R2 to protect the web server on R2, operate in intercept mode with a connection-timeout of 5 seconds. Additionally, I will set the router to begin dropping packets, oldest first, when maximum number of half open connections equals 10 and continue to drop until the half open connections reaches 5. Furthermore, I want to protect against SYN flood attacks by dropping SYN packets when the rate of 20 per minute occur, and to resume once that rate has lessened to 10 per minute.R2(config)#access-list 101 permit ip any host 10.1.12.1R2(config)#ip tcp intercept list 101R2(config)#ip tcp intercept mode intercept R2(config)#ip tcp intercept connection-timeout 5 R2(config)#ip tcp intercept max-incomplete low 5 high 10 R2(config)#ip tcp intercept drop-mode oldest R2(config)#ip tcp intercept one-minute low 10 high 20

Note that ah ACL is required to identify traffic when using TCP intercept.

R2 attepts to retransmit R1's SYN-ACK until the exponential timer expires when the connection is reset.

With that, I'll remove the previous ip tcp intercept commands, and move on to configure R2 as a stateful firewall with CBAC.

CBAC only inspects TCP and UDP traffic. If other services need to be filtered I must use an access-lists instead.

The difference between reflexive ACLs and CBAC is that reflexive ACLs rely on the return traffic being a mirror of the sent traffic, where CBAC will use an application inspection engine per application to inspect traffic, and is aware of the application's conversation.

I'll create an inspection rule called CBAC for TCP, UDP, HTTP, Telnet, and ICMP traffic. As mentioned before, since UDP is connectionless, there will be no FIN packet to finish sessions, so I'll configure a UDP session inactivity timeout of 20 seconds. Also, I will create an ACL to tie the HTTP inspection to allow Java applets from only the host address of 10.0.3.3.R2(config)#access-list 10 permit host 10.0.3.3 R2(config)#ip inspect name CBAC tcpR2(config)#ip inspect name CBAC udp audit-trail on timeout 20R2(config)#ip inspect name CBAC http java-list 10R2(config)#ip inspect name CBAC telnet R2(config)#ip inspect name CBAC icmp

As mentioned some telnet traffic could use destination TCP port 33, I will map TCP 33 to telnet so that it is inspected as well.R2(config)#ip port-map telnet port 33R2(config)#do show ip port-map | include user Default mapping: telnet tcp port 33 user defined

According to Cisco recommendations, I should try to maintain a 1:1 ratio between the number of sessions and the size of the hash table. By default there are 1024 buckets. Since I will have a maximum number of concurrent sessions of 2000, I will double the number of the default bucket size.R2(config)#ip inspect hashtable-size 2048

To verify that the inspection rule has been applied to to correct interface and direction, I will use show ip inspect interfaces.R2#show ip inspect interfacesInterface Configuration Interface Serial0/1/0 Inbound inspection rule is not set Outgoing inspection rule is CBAC tcp alert is off audit-trail is off timeout 3600 udp alert is off audit-trail is on timeout 20 http java-list 10 alert is off audit-trail is off timeout 3600 telnet alert is off audit-trail is off timeout 3600 icmp alert is off audit-trail is off timeout 10 Inbound access list is OUTSIDE_IN Outgoing access list is not set

4 comments:

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training in India . Nowadays Java has tons of job opportunities on various vertical industry.

I appreciate that you produced this wonderful article to help us get more knowledge about this topic. I know, it is not an easy task to write such a big article in one day, I've tried that and I've failed. But, here you are, trying the big task and finishing it off and getting good comments and ratings. That is one hell of a job done!